Several high-profile lawsuits have been filed in recent years by shareholders seeking to hold corporate officers and directors liable for damage resulting from data security breaches. For example, directors and officers at Target (2014), Wyndham Hotels (2014), and Home Depot (2015) faced such shareholder derivative actions in connection with data breaches experienced by those companies.
So far, these cases have all ended the same way: the trial court dismissed the shareholders’ complaint for failure to allege facts sufficient to overcome initial pleading hurdles, such as demand futility and the business judgment rule.
In light of this string of dismissals, one might be tempted to conclude that shareholders would give up on pursuing directors and officers in the wake of a data breach.
But two recently-filed shareholder suits, against Wendy’s and Yahoo!, show that, despite mounting unfavorable court rulings, the plaintiffs’ bar persists in searching for ways to crack the judicial code and plead viable D&O claims stemming from data security breaches. Thus, the potential for D&O liability resulting from data breaches and the defense costs associated with the cases should remain a concern for insurers and corporations alike.
On December 16, 2016, a Wendy’s shareholder initiated a derivative lawsuit in the federal district court for the Southern District of Ohio against the company and nineteen of its directors and officers for liability from a data security breach. Wendy’s began investigating a potential data breach in early 2016, after learning of unusual activity at one of its restaurants. In a series of public disclosures stretching from February to July 2016, the company stated that it had discovered certain malware had been installed in point of sale systems used at over 1,000 Wendy’s restaurant locations, and as a result, the personal and financial information of Wendy’s customers had been compromised between October 2015 and June 2016. Similar to the complaints filed against Target, Wyndham and Home Depot, the complaint against Wendy’s asserts claims for breach of fiduciary duty, corporate waste, unjust enrichment and “gross mismanagement” in connection with the data breach.
No doubt to avoid a fate similar to that of the shareholder suits against Target, Wyndham, and Home Depot, the plaintiff in the Wendy’s case has made a concerted effort to plead allegations sufficient to demonstrate demand futility. For example, the complaint alleges that a group of the defendants owns enough stock to command a controlling interest in the company and that a number of defendants have familial ties or other connections to the controlling defendants such that they are “beholden to the controlling shareholder defendants” and ostensibly incapable of impartially considering a demand to sue. The defendants have moved to dismiss on several grounds, including failure to adequately plead demand futility. Wendy’s, like Wyndham and Home Depot, is a Delaware corporation, and thus, the written opinions in those two cases (both of which were cited in the defendants’ motion to dismiss) are likely to be particularly instructive to the Ohio district court. It remains to be seen whether the facts of this case are sufficiently distinguishable for the plaintiff to avoid dismissal.
On February 21, 2017, shareholders of Yahoo! filed a derivative lawsuit in Delaware chancery court against the company’s CEO, one of its co-founders, and the chairman of its board, among others. The shareholder suit is the latest in a series of lawsuits filed against Yahoo! stemming from the company’s late 2016 disclosures that it was hacked on two separate occasions in 2013 and 2014, resulting in the theft of personal information belonging to over 1.5 billion Yahoo! users. In its 2016 Annual Report, Yahoo! reported that “43 putative consumer class action lawsuits have been filed against the Company in U.S. federal and state courts” relating to the data breaches. Though the Delaware shareholder complaint is sealed, related court filings indicate that the lawsuit alleges breach of fiduciary duty claims against the defendants relating to the non-disclosure of the data security breaches, making it similar to the lawsuits filed against Target, Home Depot, Wyndham and Wendy’s.
Though the case was only recently filed and the complaint has not yet been tested by a motion to dismiss, the Yahoo! case may stand the best chance yet of surviving the pleading stage. To begin with, the sheer size of the breach (over 1.5 billion compromised accounts), the time between the breach and public disclosure (between two and three years) and the fact that Yahoo! is a technology company whose core business is providing email accounts secured by passwords may be enough to support a claim that the defendants breached their fiduciary duties in preventing, detecting and remedying the data breach. Furthermore, as disclosed in the company’s annual report, an independent committee formed by the Yahoo! board, and assisted by independent counsel as well as a forensic expert, conducted an investigation and issued a report concluding, among other things, that “certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally” relating to the data breaches. This is in contrast to the Target case, where a Special Litigation Committee issued a ninety-one page report recommending that the company not pursue D&O litigation, which report included detailed findings on the steps the company took to implement security measures pre-breach and to remedy the breach once it was discovered.
The Wendy’s and Yahoo! suits serve as a reminder that, even though courts have thus far dismissed D&O suits stemming from data breaches, plaintiffs continue to file these suits. And the specter of D&O defense costs and liability remains.
Bilal Zaheer and Molly McGinnis Stine are Partners in Locke Lord’s Chicago office. They can be reached at firstname.lastname@example.org and email@example.com.